Re-architect iOS XCUITest suite: per-test isolation + domain organization

Migrate the XCUITest suite off the legacy shared-account model (and the prior Django-style auth assumptions) to a parallel-safe, domain-organized architecture, validated end-to-end against the live Kratos stack. Isolation (parallel-safe by construction): - Core/Fixtures/TestAccount.swift: each test mints its own pre-verified Kratos identity (uit_<domain>_<uuid>@test.honeydue.local), logs in, seeds under its own token, and deletes the identity in teardown (cascading all data + clearing Kratos). No shared testuser; parallel workers no longer race. - AuthenticatedUITestCase rewritten to that model (member surface preserved); adds requiresResidence / seedAccountPreconditions to seed UI-gated data BEFORE login (a fresh account is empty at login). Organization (255 tests preserved, none dropped): - 21 domain suites under Auth/ Onboarding/ Residence/ Task/ Contractor/ Document/ Sharing/ Navigation/ Smoke/ CrossCutting/ E2E/, consistent <Domain>UITests naming. Removes the Suite1..11 / AAA_ / ZZ_ / Tests/Rebuild naming chaos and the overlapping task/residence/auth suites. Runner + test plans: - run_ui_tests.sh: Smoke gate -> Seed -> Parallel(8 workers) -> Sweep. The parallel phase runs the whole target minus phase-managed suites via -skip-testing, so new suites auto-include (no hand-maintained list to drift). Drops the 2-worker cap and Suite6 isolation (isolation made them moot). - HoneyDueUITests.xctestplan skips the 4 phase-managed suites; adds Smoke.xctestplan. Kratos auth fixes folded in (login/verify/reset endpoints removed under Kratos): real Mailpit verification codes replace the obsolete fixed "123456"; teardown deletes Kratos identities; admin-panel login uses the correct seeded password. Build green; isolation, parallelism, and the precondition/sharing migrations validated against the live stack (0 leaked accounts). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 16:26:50 -05:00
parent 09120e9d9d
commit c52ce4d497
44 changed files with 3824 additions and 3057 deletions
@@ -0,0 +1,293 @@
+import XCTest
+
+/// Tests for the password reset flow against the local stack.
+///
+/// The app's reset flow is wired to a real Kratos recovery flow: the
+/// forgot-password screen starts a Kratos recovery flow and submits the email
+/// (AuthApi.kt:406 `forgotPassword`), which makes Kratos EMAIL a 6-digit
+/// recovery code that lands in Mailpit locally. The verify screen submits that
+/// emailed code back to the same flow (AuthApi.kt:448 `verifyResetCode`). So
+/// these tests read the live code from Mailpit instead of any fixed code.
+///
+/// Test Plan IDs: AUTH-015, AUTH-016, AUTH-017
+final class AuthPasswordResetUITests: BaseUITestCase {
+    override var relaunchBetweenTests: Bool { true }
+
+    private var testSession: TestSession?
+    private var cleaner: TestDataCleaner?
+
+    override func setUpWithError() throws {
+        guard TestAccountAPIClient.isBackendReachable() else {
+            throw XCTSkip("Local backend is not reachable at \(TestAccountAPIClient.baseURL)")
+        }
+
+        guard let session = TestAccountManager.createVerifiedAccount() else {
+            throw XCTSkip("Could not create verified test account")
+        }
+        testSession = session
+        cleaner = TestDataCleaner(token: session.token)
+
+        // Force clean app launch — password reset flow leaves complex screen state
+        app.terminate()
+        try super.setUpWithError()
+    }
+
+    override func tearDownWithError() throws {
+        cleaner?.cleanAll()
+        try super.tearDownWithError()
+    }
+
+    // MARK: - AUTH-015: Verify reset code reaches new password screen
+
+    func testAUTH015_VerifyResetCodeSuccessPath() throws {
+        let session = try XCTUnwrap(testSession)
+        // Capture the recovery email ONCE and reuse it for both the request and
+        // the Mailpit lookup, so the lookup address matches what we submitted.
+        let email = session.user.email
+
+        // Navigate to forgot password
+        let login = TestFlows.navigateToLoginFromOnboarding(app: app)
+        login.tapForgotPassword()
+
+        // Enter email and send code
+        let forgotScreen = ForgotPasswordScreen(app: app)
+        forgotScreen.waitForLoad()
+        forgotScreen.enterEmail(email)
+        forgotScreen.tapSendCode()
+
+        // Read the REAL Kratos recovery code Kratos emailed to Mailpit.
+        let code = TestAccountAPIClient.latestVerificationCode(for: email) ?? ""
+        XCTAssertFalse(code.isEmpty, "No Kratos recovery code arrived in Mailpit for \(email)")
+
+        let verifyScreen = VerifyResetCodeScreen(app: app)
+        verifyScreen.waitForLoad()
+        verifyScreen.enterCode(code)
+        verifyScreen.tapVerify()
+
+        // Should reach the new password screen
+        let resetScreen = ResetPasswordScreen(app: app)
+        try resetScreen.waitForLoad(timeout: loginTimeout)
+    }
+
+    // MARK: - AUTH-016: Full reset password cycle + login with new password
+
+    func testAUTH016_ResetPasswordSuccess() throws {
+        let session = try XCTUnwrap(testSession)
+        let newPassword = "NewPass9876!"
+        // Capture the recovery email ONCE for both the request and Mailpit lookup.
+        let email = session.user.email
+
+        // Navigate to forgot password
+        let login = TestFlows.navigateToLoginFromOnboarding(app: app)
+        login.tapForgotPassword()
+
+        // Drive the full reset flow inline (NOT TestFlows.completeForgotPasswordFlow,
+        // which hardcodes the obsolete debug code) so we submit the REAL Kratos
+        // recovery code read from Mailpit.
+        try completeForgotPasswordFlowWithRealCode(email: email, newPassword: newPassword)
+
+        // After reset, the app auto-logs in with the new password.
+        // If auto-login succeeds → app goes directly to main tabs (sheet dismissed).
+        // If auto-login fails → success message + "Return to Login" button appear.
+        let tabBar = app.tabBars.firstMatch
+        let returnButton = app.buttons[UITestID.PasswordReset.returnToLoginButton]
+
+        let deadline = Date().addingTimeInterval(loginTimeout)
+        var reachedPostReset = false
+        while Date() < deadline {
+            if tabBar.exists {
+                // Auto-login succeeded — password reset worked!
+                reachedPostReset = true
+                break
+            }
+            if returnButton.exists {
+                // Auto-login failed — manual login needed
+                reachedPostReset = true
+                returnButton.forceTap()
+                break
+            }
+            RunLoop.current.run(until: Date().addingTimeInterval(0.5))
+        }
+
+        XCTAssertTrue(reachedPostReset, "Expected main tabs (auto-login) or return button (manual login) after password reset")
+
+        if tabBar.exists {
+            // Already logged in via auto-login — test passed
+            return
+        }
+
+        // Manual login path: return button was tapped, now on login screen
+        let loginScreen = LoginScreenObject(app: app)
+        loginScreen.waitForLoad(timeout: loginTimeout)
+        loginScreen.enterUsername(email) // Kratos login identifier is the EMAIL
+        loginScreen.enterPassword(newPassword)
+
+        let loginButton = app.buttons[UITestID.Auth.loginButton]
+        loginButton.waitUntilHittable(timeout: 10).tap()
+
+        XCTAssertTrue(tabBar.waitForExistence(timeout: loginTimeout), "Should login successfully with new password")
+    }
+
+    // MARK: - AUTH-015 (alias): Verify reset code reaches the new password screen
+
+    func test03_verifyResetCodeSuccess() throws {
+        try XCTSkipIf(!TestAccountAPIClient.isBackendReachable(), "Backend not reachable")
+
+        let session = try XCTUnwrap(testSession)
+        // Capture the recovery email ONCE for both the request and Mailpit lookup.
+        let email = session.user.email
+
+        // Navigate to forgot password
+        let login = TestFlows.navigateToLoginFromOnboarding(app: app)
+        login.tapForgotPassword()
+
+        // Enter email and send the reset code
+        let forgotScreen = ForgotPasswordScreen(app: app)
+        forgotScreen.waitForLoad()
+        forgotScreen.enterEmail(email)
+        forgotScreen.tapSendCode()
+
+        // Read the REAL Kratos recovery code Kratos emailed to Mailpit.
+        let code = TestAccountAPIClient.latestVerificationCode(for: email) ?? ""
+        XCTAssertFalse(code.isEmpty, "No Kratos recovery code arrived in Mailpit for \(email)")
+
+        let verifyScreen = VerifyResetCodeScreen(app: app)
+        verifyScreen.waitForLoad()
+        verifyScreen.enterCode(code)
+        verifyScreen.tapVerify()
+
+        // The reset password screen should now appear
+        let resetScreen = ResetPasswordScreen(app: app)
+        try resetScreen.waitForLoad(timeout: loginTimeout)
+    }
+
+    // MARK: - AUTH-016 (alias): Full reset flow + login with new password
+
+    func test04_resetPasswordSuccessAndLogin() throws {
+        try XCTSkipIf(!TestAccountAPIClient.isBackendReachable(), "Backend not reachable")
+
+        let session = try XCTUnwrap(testSession)
+        let newPassword = "NewPass9876!"
+        // Capture the recovery email ONCE for both the request and Mailpit lookup.
+        let email = session.user.email
+
+        // Navigate to forgot password, then drive the complete 3-step reset flow
+        let login = TestFlows.navigateToLoginFromOnboarding(app: app)
+        login.tapForgotPassword()
+
+        // Drive the full reset flow inline (NOT TestFlows.completeForgotPasswordFlow,
+        // which hardcodes the obsolete debug code) so we submit the REAL Kratos
+        // recovery code read from Mailpit.
+        try completeForgotPasswordFlowWithRealCode(email: email, newPassword: newPassword)
+
+        // Wait for a success indication — either a success message or the return-to-login button
+        let successText = app.staticTexts.containing(
+            NSPredicate(format: "label CONTAINS[c] 'success' OR label CONTAINS[c] 'reset'")
+        ).firstMatch
+        let returnButton = app.buttons[UITestID.PasswordReset.returnToLoginButton]
+
+        // After reset, the app auto-logs in with the new password.
+        // If auto-login succeeds → app goes to main tabs. If fails → return button appears.
+        let tabBar = app.tabBars.firstMatch
+
+        let deadline = Date().addingTimeInterval(loginTimeout)
+        var reachedPostReset = false
+        while Date() < deadline {
+            if tabBar.exists {
+                reachedPostReset = true
+                break
+            }
+            if returnButton.exists {
+                reachedPostReset = true
+                returnButton.forceTap()
+                break
+            }
+            RunLoop.current.run(until: Date().addingTimeInterval(0.5))
+        }
+
+        XCTAssertTrue(reachedPostReset, "Expected main tabs (auto-login) or return button after password reset")
+
+        if tabBar.exists { return }
+
+        // Manual login fallback
+        let loginScreen = LoginScreenObject(app: app)
+        loginScreen.waitForLoad(timeout: loginTimeout)
+        loginScreen.enterUsername(email) // Kratos login identifier is the EMAIL
+        loginScreen.enterPassword(newPassword)
+
+        let loginButton = app.buttons[UITestID.Auth.loginButton]
+        loginButton.waitUntilHittable(timeout: 10).tap()
+
+        XCTAssertTrue(tabBar.waitForExistence(timeout: loginTimeout), "Should login successfully with new password")
+    }
+
+    // MARK: - AUTH-017: Mismatched passwords are blocked
+
+    func testAUTH017_MismatchedPasswordBlocked() throws {
+        let session = try XCTUnwrap(testSession)
+        // Capture the recovery email ONCE for both the request and Mailpit lookup.
+        let email = session.user.email
+
+        // Navigate to forgot password
+        let login = TestFlows.navigateToLoginFromOnboarding(app: app)
+        login.tapForgotPassword()
+
+        // Get to the reset password screen
+        let forgotScreen = ForgotPasswordScreen(app: app)
+        forgotScreen.waitForLoad()
+        forgotScreen.enterEmail(email)
+        forgotScreen.tapSendCode()
+
+        // Read the REAL Kratos recovery code Kratos emailed to Mailpit.
+        let code = TestAccountAPIClient.latestVerificationCode(for: email) ?? ""
+        XCTAssertFalse(code.isEmpty, "No Kratos recovery code arrived in Mailpit for \(email)")
+
+        let verifyScreen = VerifyResetCodeScreen(app: app)
+        verifyScreen.waitForLoad()
+        verifyScreen.enterCode(code)
+        verifyScreen.tapVerify()
+
+        // Enter mismatched passwords
+        let resetScreen = ResetPasswordScreen(app: app)
+        try resetScreen.waitForLoad(timeout: loginTimeout)
+        resetScreen.enterNewPassword("ValidPass123!")
+        resetScreen.enterConfirmPassword("DifferentPass456!")
+
+        // The reset button should be disabled when passwords don't match
+        XCTAssertFalse(resetScreen.isResetButtonEnabled, "Reset button should be disabled when passwords don't match")
+    }
+
+    // MARK: - Helpers
+
+    /// Drive the full forgot-password → verify-code → reset-password UI flow using
+    /// the REAL Kratos recovery code read from Mailpit.
+    ///
+    /// This is a local replacement for `TestFlows.completeForgotPasswordFlow`, which
+    /// still hardcodes the obsolete `debugVerificationCode` ("123456"). The caller is
+    /// expected to have already reached the forgot-password screen (e.g. via
+    /// `login.tapForgotPassword()`). The `email` MUST be the same captured value used
+    /// elsewhere in the test so the Mailpit lookup matches the address submitted.
+    private func completeForgotPasswordFlowWithRealCode(email: String, newPassword: String) throws {
+        // Step 1: Enter email and request the recovery code.
+        let forgotScreen = ForgotPasswordScreen(app: app)
+        forgotScreen.waitForLoad()
+        forgotScreen.enterEmail(email)
+        forgotScreen.tapSendCode()
+
+        // Step 2: Read the REAL Kratos recovery code Kratos emailed to Mailpit.
+        let code = TestAccountAPIClient.latestVerificationCode(for: email) ?? ""
+        XCTAssertFalse(code.isEmpty, "No Kratos recovery code arrived in Mailpit for \(email)")
+
+        let verifyScreen = VerifyResetCodeScreen(app: app)
+        verifyScreen.waitForLoad()
+        verifyScreen.enterCode(code)
+        verifyScreen.tapVerify()
+
+        // Step 3: Set the new password.
+        let resetScreen = ResetPasswordScreen(app: app)
+        try resetScreen.waitForLoad()
+        resetScreen.enterNewPassword(newPassword)
+        resetScreen.enterConfirmPassword(newPassword)
+        resetScreen.tapReset()
+    }
+}